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Adversary Threat Tactics are Changing 


Early 2010s 
Zero-day Vulnerabilities 
(Nation State, Industrial Espionage, Black Market) 


Today 
Rapidly weaponizing newly-disclosed vulnerabilities 


(Good, Fast, Cheap - Pick 3) 


Known Critical Vulnerabilities are Increasing 


14-16K vulnerabilities are 
disclosed 2017-2019 


30-40% are ranked as "High" or 
"Critical" severity 


Worm-able Vulnerabilities are и 
increasing (WannaCry, " В Watt 
Blue Keep) ы ===" 2005 96 ғ” 2008 жж 200 жи ж жз дм ж 206 207 28 201 


"Mean Time to Weaponize" is 
rapidly decreasing year/year 
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K About BlueKeer 


(RDP Vulnerability) 


Leť<s Ta 


U.S. Govt Achieves BlueKeep Remote Code Execution, Issues Alert 


By 


US company selling weaponized BlueKeep 
exploit 


An exploit for a vulnerability that Microsoft feared it may trigger the next WannaCry is now being sold commercially. 


for July 25, 2019 -- 09:06 GMT (02:06 PDT) | Topic 


BlueKeep Exploits Appear as 
Security Firms Continue to Worry 


About Cyberattack 
The lack of an attack has puzzled some security experts, but the general 


advice remains that companies should patch their vulnerable systems 


Robert more quickly. 
Lemos 


EDITOR'S PICK | 380/176 views | Nov 3, 2019, 04:43am 


November 2019 


ce Davey Winder senior Contributor © 


, P 2 
A) Cybersecurity 
E Ireport and analyse breaking cybersecurity and privacy stories 
Ji 


This week Tuesday! 


Qualys Community Discussions Blog Training Docs 


Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) — How to 
Detect and Remediate 


Animesh Jain in The Laws of Vulnerabilities 


This is a serious vulnerability and patches should be applied immediately. An attacker could exploit this 
vulnerability by using a spoofed code-signing certificate, meaning an attacker could let you download and install 


malware that pretended to be something legit, such as software updates, due to the spoofed digital signature. 
TCETNCHETNESTMYTATATSCKETTOUO TETY OU OOWMOSUHNOTETA iaWware ТЕТЕ ТОРТТТЕТ De somemmmq eum suemas some UPORTES Cue to T 


spoofed digital signature. Examples where validation of trust may be impacted include 


Exploits/PoC: 
There are no reports of active exploitation or PoC available in public domain at this point of time. However, per 
NSA advisory "Remote exploitation tools will likely be made quickly and widely available." 


———— TT ————— —— ,--------- ------- TTO TE ——— ——— TT TT tte 


will likely be made quickly and widely available." 


Get Proactive - Reduce the Attack Surface 


Oo Immediately discover assets and vulnerabilities 


e Patch and verify remediation / stop the instance 


Change configuration to limit unauthorized access 


Control network access / cloud security groups 


Add Endpoint Detection and Response 
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Proactively Hunt, Detect, and Respond 


Indication of 


% 
а % Security Analytics 
| сі (Summer 2020) 
22 
Detect malware, IOCs, ІОА5, ғ SES 
and verify threat intel + Augment SIEMS by finding 


attacks using behavioral 
analytics and MITRE ATT&CK 
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Qualys IOC - Hunt Using Threat Intel 


NotPetya Ransomware spreading using ETERNALBLUE Vulnerability and Credential Stealing 


October 6, 2017 


On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and 
affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files 
with extensions from a hard-coded list. 


Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making 
the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in 
its propagation methods using the ETERNALBLUE vulnerability and credential stealing via a modified 
version of Mimikatz. 


Technical Details 


Anti-Virus Coverage 


VirusTotal reports 0/66 anti-virus vendors have signatures for the credential stealer as of the 
date of this report 


Delivery — MD5: 71b6a493388e7d0b40c83ce903bc6b04 
Installation — MD5: 7e37ab34ecdcc3e77e24522ddfd4852d 
Credential Stealer (new) — MD5: d926e76030f19f1f7ef0b3cd1a4e80f9 


Secondary Actions 
NotPetya leverages multiple propagation methods to spread within an infected network. 


According to malware analysis, NotPetya attempts the lateral movement techniques below: 


€ Threat intelligence lists attack 
information ... 


e Search for the file hash here... 


@ Qualys. Enterpr 


Indication of Compromise SHBOARD HUNTING 


Hunting 


Qualys Demo (quays. ad) 


d926e76030f 19f 1£7ef0b3cdla4e80f9 


Last7Days v 


2 


Total Event- 


NO REMAINING FILTERS 
TIME v OBJECT 


a day ago B svvchost.exe 


svvchost.exe 


ASSET 


WIN2008R2-11566 


WIN7-320860-T44 


Detect Malware Missed by Anti-Virus 


UK Government Contractor : 
- “Big 4” anti-virus installed one sane manteau coo 
- Qualys Agent for Vulnerability Mgmt 
- Added Qualys IOC on existing agents 
- 256 hosts 


dione 


Qualys IOC discovered... nee) Lenis 
- Dridex Banking Trojan (51) 

- 4domain controllers infected 
- Backdoors (7) installed due to 


p h i S h i n g Ca m pa i E n S PE З E | MALICIOUS POTENTIALLY UNWANTED APPS - BY HOSTNAME 
- Netcat (8) root kits installed pe 
- 46 PUAs installed 46 
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Оето 


Beyond Endpoint Detection and Response: 
How can І better protect my crown jewels? 


Threat Hunting Assumptions: 

* Every user machine can be compromised - it only takes one click 

* Every Remote Code Execution (RCE) vulnerability can be exploited 

* Local Privilege Escalation and Credential Harvesting to move laterally 
e System misconfigurations are often overlooked and easy to exploit 


* Network segmentation is rarely used internally due to management 


All attacks are not equal: can Adversaries reach my Critical Servers? 
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Adversary Lateral Movements (Attack Paths) 


lower Security Tiers higher 
Б b 
Baa neces J IT System Tier 0 Systems 
User Segments usiness Apps ystems "Crown Jewels" 


eO Find systems in higher 
security tiers by looking for 


Cs existing connections or Cid 
network reconnaissance. 


Laterally move to new system by: 

L] — B - Exploiting open vulnerabilities 
- Take advantage of misconfigurations 

UJE - Use compromised credentials 


Ө Bad actor compromises а user 


Керсе (email poishing, SENS Laterally move to new system by: 
"i etc.). ГІ hi - Exploiting open vulnerabilities 
шаа - Take advantage of misconfigurations 


- Use compromised credentials 
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Attack Path Discovery (summer 2020) 


Network Reachability 
Determine connections between hosts using Cloud Agent 
Passive + Active network collection 
Store these connections in a Graph Database for fast query 
+ 


Asset Security Posture 
Remotely Exploitable Vulnerabilities 
System Misconfigurations 3 
Malware, loCs, and Indicators of Activity Э 
© Quas 
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Breach Attack & Simulation ~ 


С, Search 


IT Mgmt Network 


Users 


DASHBOARD ASSETS NETWORK SCANS CONFIGURATION 


Datacenter 


Corporate Apps 


SWIFT Payment 


9 Qualys. 


Network Topology 


Q, Search 


Y 


o Group Assets by... + 


НМІ:бЕ 


List View 


ci 
172.16201.93.. 57 


172.16.201.23 
172.16.201.68 


+ 


172.16:201.88 


172.16.201.70 


ca 


ні 


HR SharePoint 


e 


HP LaserJet 400 MFP M425 Postscript 


1723 6217 
< 


172.16.201.56 


ci 


ә 


172.16.201.44 


(= 


172.16.201.22 
ш] 


172.16.201.11 


a 7 са 
shippinglabelApp HMI:MM5 
= ci 
172.16.201.13 172.16.201.99 
[m | 
Flex 10 


00 
172.16.201.93 


it = 
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Attack Path Discovery 
for 
Proactive Threat Hunting 
and Response Priority 
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Indication of Compromise + DASHBOARD INCIDENTS HUNTING ASSETS RULES 


pe 
© 
K 


Hunting 


| X 5ceec909f 3dfc890fdd1e76d6f3cc093465c9d980d68b9987fc3f5eb289b6bd2 Active View v | = 


675K 1-50 of 675335 3 


Total Events 


TIME v OBJECT ASSET SCORE DETAILS 
3 minutes ago # WindowsAzureTelemetryService.exe a WIN10PMIOCA - = 
8:35:03 PM C:\WindowsAzure\GuestAgent_2.7.41491.949_2019-1... 13.64.103.58,10.1.1.10 
TYPE 
file 258k die 2 QualysAgent.exe =8  WINIOPMIOC4 = 
se DEV 8:35:03 PM C:\Program Files\Qualys\QualysAgent\QualysAgent.exe 13.64.103.58,10.1.1.10 
network 19.4K 3 minutes ago P WmiPrvSE.exe H WIN10PMIOC4 о | 
process 3.99K 8:35:03 PM C:\Windows\System32\wbem\WmiPrvSE.exe 13.64.103.58,10.1.1.10 
registry 384K 
3 minutes ago 22; 125.227.22.242 (125-227-22-242.HINET-IP.hi... „s ЕС2АМА?-01М5ҒІВ Пп 
:34: - Й .31.0.13,13. .83. 
EVENT ACTION 8:34:56 PM TCP CONNECTION - ESTABLISHED by svchost.exe 172.31.0.13,13.233.83.82 
created 642K 3 minutes ago p^ 13.82.189.202 : 63733 a EC2AMAZ-Q1M5FIB ü 
established 4.65K 8:34:56 PM TCP CONNECTION - ESTABLISHED by svchost.exe 172.31.0.13,13.233.83.82 
listening 14.7K 
ж M . e В . py 
леко 13.8K 3 minutes ago 42. fe80::281b:10bb:53e0:fff2%7 : 546 аш ЕС2АМА?-01М5ҒІВ ü 
8:34:56 PM UDP CONNECTION - LISTENING by svchost.exe 172.31.0.13,13.233.83.82 
SCORE 3 minutes ago г 64.39.104.103 (qagpublic.qg2.apps.qualys.co... ss  WINIOPMIOC4 
10 14 8:34:49 PM TCP CONNECTION - ESTABLISHED by QualysAgent.exe 13.64.103.58,10.1.1.10 
9 38 
4 Tx 3 minutes ago а 211.247.115.130 : 57533 H WIN10PMIOC4 ü 
E A 8:34:44 PM TCP CONNECTION - ESTABLISHED by svchost.exe 13.64.103.58,10.1.1.10 
5 121 3 minutes ago 2 185.209.0.22 : 36585 s WIN10PMIOC4 n 
У 1 тоге 8:34:41 РМ ТСР CONNECTION - ESTABLISHED by svchost.exe 13.64.103.58,10.1.1.10 
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Indication of Compromise - DASHBOARD INCIDENTS HUNTING ASSETS RULES 
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Hunting 


X. 5ceec909f3dfc890fdd1e76d6f3cc093465c9d980d68b9987fc3f5eb289b6bd2 Active view v | 
5 1-5of 5 


Total Events 


TIME v OBJECT ASSET SCORE DETAILS 
21 hours ago <> 66.85.173.57 (tar.theoutlan.com) : 443 a SHAREPT003 Trickbot 
12:58:21 AM TCP CONNECTION - ESTABLISHED by temp0291.exe 172.31.0.111 Trojan 
TYPE 
file E a day ago B temp0291.exe a SHAREPTO003 H Trickbot 
8:19:31 PM c:\Users\qualys\AppData\Roaming 172.31.0.111 Trojan 
mutex 1 
network 1 a day ago Fi temp0291.exe ag SHAREPT003 п Trickbot 
process 1 3:12:28 PM C:\Users\qualys\AppData\Roaming\temp0291.exe 172.31.0.111 Trojan 
EVENT ACTION a day ago m MBaseNamedObjects 4C3D653494D1 128 a SHAREPTO003 Пп Trickbot 
3:02:08 PM temp0291.exe 172.31.0.111 Trojan 
created 2 
established 2 days ago Е temp0291.exe H4 SHAREPT003 в | Trickbot 
running 2 11:18:23 АМ c:\Users\qualys\AppData\Roaming 172.31.0.111 Trojan 
SCORE 
10 1 
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Network 


Group Assets by. 


Topology 


List View 


tlt 


Last 7 days 


Network 


| Actions v fel Ж 


Ж ж > 
À Search 


ss ae HR SHAREPOINT 


SharePoint | 172.31.0.111 
9 New York, NY 


Tags 
ei 17218 201.44 9 
172.16.201.93 Б [мем York і Corporate Apps | HR Apps 


| Share Point І 60 дау lastscan 
172.16.201 ө 
= 


o = 
e 


172.16.201.23 7 172.16.201.56 
172.16.201.68 


А INFECTIONS (4 Events) 


ci 16.201 
172029 Process: temp0294.exe 


Malware: Trickbot | Risk Score: 9 


+ 
172.16:201.88 
172.16.201.70 


File: WormDII64 


= Malware: Trickbot | Risk Score: 8 
c cil 


shippinglabelApp HMIMN File: NetworkDIl64 
Malware: Trickbot | Risk Score: 8 


File: ShareDll64 
Malware: Trickbot | Risk Score: 8 


HP LaserJet 400 MFP M425 Postscript 


172.16.201.93 


Site 1 
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Network 


| Actions v fal Ж 


Ж ж > 
À Search 


ss ae HR SHAREPOINT 


SharePoint — 172.31.0.111 
9 New York, NY 


Tags 
[New York [corporate Apps | HR Apps 


cH 172.14201.44 
172.16.201.93.. *7 


17216201 
vu 


o = 
e 


172.16.201.23 7 172.16.201.56 
172.16.201.68 


% 


| Share Point І 60 day lastscan 


А INFECTIONS (4 Events) 


ci 16.201 
172029 Process: temp0294.exe 


E Quick Menu v 
172.16:201.88 Malware: Trickbot | Risk Scot 
172.16.201.70 
View Asset Details 
File: WormDII64 Execute a Response 
Malware: Trickbot | Risk S: 
cii Quarantine Host 
ShippinglabelApp НМЕММ File: NetworkDII64 ч 
Malware: Trickbot | Risk Score: 8 ` 
> 
172.16.201.13 File: ShareDll64 : 
> Malware: Trickbot | Risk Score: 8 
* 
` 
Е 
% cal 


HP LaserJet 400 MFP M425 Postscript 


172.16.201.93 


Site 1 
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Execute a Response 


The following response will be executed for the selected processes and files on the defined hosts. 


Process (1) 


RISK SCORE PROCESS NAME MALWARE HOST 


temp0291.exe TrickBot SHAREPTO003 


Kill Process Quarantine File 


File Type (3) 


RISK SCORE — FILE NAME MALWARE HOST 


WormbDIl64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPTO003 


NetworkDll64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPT003 


ShareDIl64 (C:\Users\support\AppData\Roaming) TrickBot SHAREPTO003 


E Quarantine File 
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Scale Human Response with Automation 


Qualys finds active attacks on endpoint 
using Indication of Compromise 


Go beyond endpoint detection with 
Security Analytics - correlate user, 
network, application, cloud, container 


Use attack path discovery as metadata to 
detect attacks that can reach critical 
assets 


Automate response to protect critical 


assets using Security Orchestration 
response playbooks 
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i 
QA cope 
All Assets 
X 
Asset Scope = 
[T 
ре 
= 
# Criteria 
IE this 
Е Crit 
Actively E 
i ч 
à 
Ж Criteria ө = Criteria = 
Event Process Execution "Trekbot" Outbound Connection to Rus 
^ 
í X 
e Ўы Action ө 
Post Message: Slack Channel | unmanaged Device Quarantine [| Brock Rule using Palo atto 
vdr@qualys.com (évdrqualys) | | 
SRE 
End | S | + jos) — | z 


Attack Path Discovery 
to 
Prioritize Patching 
ana 
Improve Security Defenses 
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Network 


Group Assets by. 
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List View 


tlt 


Last 7 days 


Network Topology 
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Vulnerability Remediation Prioritization 


CVSSv2 / CVSSv3 scores 
Qualys QID Severity score 
Qualys Tagging for Asset Business Criticality 


Qualys Threat Protection Real-Time Indicators 
(based on threat intel and live attacks) 


Qualys VMDR Threat Prioritization 


(Machine Learning model + Contextual Awareness) 


Qualys Attack Path Discovery 
© Qualys 
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Thank You 


Chris Carlson 
ccarlson@qualys.com 


